SECURING
You can set up a Notes® or Internet client for client authentication with a server. You cannot use client authentication for SMTP and IIOP connections.
About this task
For TLS client authentication, the Notes or Internet client must have:
Publishing third-party CA client certificates in a Person record Notes and Internet users who have a client certificate from a third-party certifier may want to have this certificate published in their Person record so that, if a user authenticates with a Domino server over TLS with that certificate, Domino will be able to determine the user's Notes identity.
To set up Notes clients with certificates issued by a Domino CA
The CA and client complete these steps.
Procedure
1. Before issuing certificates, the CA must determine if Internet certificates should be created using the existing public and private keys from the Notes ID file or if the CA wants to issue certificates based on new keys generated from a browser certificate request. If clients use a browser that supports PKCS #12, clients can also import an existing Internet certificate into the Notes ID file. Depending on the environment, the administrator may choose to use a combination of these options for different users.
2. The CA adds a trusted root certificate to a Domino Directory that the client can access.
4. To create a certificate using the existing public and private keys in the Notes ID file:
b. The client authenticates with the home server. Notes automatically adds the Internet certificate to the ID file.
b. The CA approves the request, and Domino automatically adds the client's public key to the user's Person document.
c. The client merges the certificate into the ID file.
d. The CA adds an Internet certificate to the user's Person document.
1. The CA administrator creates a Person document for the Internet client.
2. The client obtains the trusted root certificate for the server's CA.
3. The client requests the Internet certificate from the CA.
4. The CA approves the request, and Domino automatically adds the client's public key to the user's Person document.
5. The client merges the certificate into the local file.
To set up Notes and Internet clients with certificates issued by a third-party CA
1. (Internet clients only) The CA administrator creates a Person document for the client.
2. Using any browser, the client follows the third-party CA's established procedure to request and merge the Internet certificate.
3. The Internet client follows the third-party CA's established procedure to merge the trusted root certificate for the CA.
4. The CA adds the client's public key to the Person document.
Example
For example, to obtain an Internet certificate from VeriSign, visit the site TLS Certificate Authority and Digital IDs in the related links and follow the instructions provided.
Related concepts Setting up Notes and Internet clients for TLS authentication TLS and S/MIME for clients
Related tasks How users can obtain trusted certificates manually Creating an Internet cross-certificate for a CA Issuing Internet certificates in a Person document Internet certificates for TLS and S/MIME Signing an Internet client certificate and adding the certificate to the Domino Directory